14 de mayo de 2022
What every employer needs to know about cybersecurity
Jon Fredrickson, senior vice president and chief risk officer
No organization is immune from potential cyberattacks, and the threat could come from almost anywhere. A click on a seemingly innocent email attachment could paralyze business operations. Sharing files with an improperly vetted vendor could potentially expose your customer base to identify theft or create a significant liability issue if information were distributed online without confidentiality protections.
The issue of liability is especially significant for companies that have opted to self-fund their health plans. In these instances, the organization assumes full responsibility for the protected health information (PHI) of their insured employees and dependents. That means protecting this data from hackers and other cyber-threats, as well as establishing and maintaining compliance with the rules of the Health Insurance Portability and Accountability Act, or HIPAA.
Accounting for organizational assets
You can’t protect what you don’t know you have. That’s why understanding and accounting for your organization’s assets—including people, information, technology, and facilities—is critical, explains R. Mike Tetreault, Cybersecurity Advisor for Rhode Island, and a member of the U.S. Department of Homeland Security. For example, information—whether hard copy or electronic—is an incredibly valuable asset that can’t be easily recreated or replaced, Tetreault says.
There are steps you can take to establish and maintain a climate of cyber-safety across all levels of your organization. Here are some suggestions to help get you started.
Building a cybersecurity plan
- Understand your business and how many of your company’s operations are IT-dependent. Are any of these operations especially vulnerable? How might threats present themselves?
- Think about your long-term strategy and, once again, identify any cyber risks that could derail efforts to achieve your goals.
- Adopt a cybersecurity framework that aligns with your business model. The framework will likely include your leadership team, staff, systems, data, and business environment, and will require collaboration with your IT team or vendor. Here are a few recommended actions from the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA). You can read their complete list here.
- Train your team to develop a culture of cybersecurity awareness, especially as it pertains to potential phishing and business email compromise.
- Implement hardware and software security configurations, such as leveraging automatic updates for operating systems and third-party software, removing unauthorized hardware and software from your systems, and using email and web browser security settings.
- Know who is on your network. Only the accounts, vendors, and business partners who truly belong there should have access to your digital workspace.
- Establish a baseline and then perform an analysis against your security framework.
- Identify areas of concern, establish a roadmap, and begin incremental improvements. The U.S. Department of Homeland Security offers a cybersecurity resources roadmap that can be helpful for small- and medium-sized businesses.
Ensuring business continuity, protecting customer data
In our increasingly digital, connected world, a thoughtful and agile cybersecurity strategy plays a critical role in ensuring business continuity and protecting employee and customer data. These free resources can help as you develop, test, and refine your approach.
Cybersecurity and Infrastructure Security Agency
National Institute of Standards and Technology (NIST)
- Cybersecurity Framework
- SP 800-53 Rev. 5, Security and Privacy Controls for Info Systems and Organizations
International Organization for Standardization (ISO) 27001 Information Security Management